1132 lines
22 KiB
HTML
1132 lines
22 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Setting up the Gateway Services</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Authentication Gateway HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="What is needed"
|
|
HREF="services.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Using the authentication gateway"
|
|
HREF="usage.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Authentication Gateway HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="services.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="usage.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="SETUP"
|
|
></A
|
|
>3. Setting up the Gateway Services</H1
|
|
><P
|
|
>
|
|
This section describes how to setup each piece of the
|
|
authentication gateway. The examples used are for a public network
|
|
in the 10.0.1.0 subnet. eth0 is the interface on the box that is
|
|
connected to the internal network. eth1 is the interface connected
|
|
to the public network. The IP address used for this interface is
|
|
10.0.1.1. These settings can be changed to fit the network you are
|
|
using. Red Hat 7.1 was used for the gateway box, so a lot of the
|
|
examples are specific to Red Hat.
|
|
|
|
</P
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="NETFILTERSETUP"
|
|
></A
|
|
>3.1. Netfilter Setup</H2
|
|
><P
|
|
> To setup netfilter the kernel must be recompiled to include
|
|
netfilter support. Please see the <A
|
|
HREF="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html"
|
|
TARGET="_top"
|
|
>Kernel-HOWTO</A
|
|
>
|
|
for more information on configuring and compiling your kernel.
|
|
|
|
</P
|
|
><P
|
|
> This is what my kernel configuration looked like.
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> #
|
|
# Networking options
|
|
#
|
|
CONFIG_PACKET=y
|
|
# CONFIG_PACKET_MMAP is not set
|
|
# CONFIG_NETLINK is not set
|
|
CONFIG_NETFILTER=y
|
|
CONFIG_NETFILTER_DEBUG=y
|
|
CONFIG_FILTER=y
|
|
CONFIG_UNIX=y
|
|
CONFIG_INET=y
|
|
CONFIG_IP_MULTICAST=y
|
|
# CONFIG_IP_ADVANCED_ROUTER is not set
|
|
# CONFIG_IP_PNP is not set
|
|
# CONFIG_NET_IPIP is not set
|
|
# CONFIG_NET_IPGRE is not set
|
|
# CONFIG_IP_MROUTE is not set
|
|
# CONFIG_INET_ECN is not set
|
|
# CONFIG_SYN_COOKIES is not set
|
|
|
|
|
|
# IP: Netfilter Configuration
|
|
#
|
|
CONFIG_IP_NF_CONNTRACK=y
|
|
CONFIG_IP_NF_FTP=y
|
|
CONFIG_IP_NF_IPTABLES=y
|
|
CONFIG_IP_NF_MATCH_LIMIT=y
|
|
CONFIG_IP_NF_MATCH_MAC=y
|
|
CONFIG_IP_NF_MATCH_MARK=y
|
|
CONFIG_IP_NF_MATCH_MULTIPORT=y
|
|
CONFIG_IP_NF_MATCH_TOS=y
|
|
CONFIG_IP_NF_MATCH_TCPMSS=y
|
|
CONFIG_IP_NF_MATCH_STATE=y
|
|
CONFIG_IP_NF_MATCH_UNCLEAN=y
|
|
CONFIG_IP_NF_MATCH_OWNER=y
|
|
CONFIG_IP_NF_FILTER=y
|
|
CONFIG_IP_NF_TARGET_REJECT=y
|
|
CONFIG_IP_NF_TARGET_MIRROR=y
|
|
CONFIG_IP_NF_NAT=y
|
|
CONFIG_IP_NF_NAT_NEEDED=y
|
|
CONFIG_IP_NF_TARGET_MASQUERADE=y
|
|
CONFIG_IP_NF_TARGET_REDIRECT=y
|
|
CONFIG_IP_NF_NAT_FTP=y
|
|
CONFIG_IP_NF_MANGLE=y
|
|
CONFIG_IP_NF_TARGET_TOS=y
|
|
CONFIG_IP_NF_TARGET_MARK=y
|
|
CONFIG_IP_NF_TARGET_LOG=y
|
|
CONFIG_IP_NF_TARGET_TCPMSS=y
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Once netfilter has been configured, turn on IP forwarding by
|
|
executing this command.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> To make sure ip forwarding is enabled when the machine restarts
|
|
add the following line to <TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysctl.conf</TT
|
|
>.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> net.ipv4.ip_forward = 1
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>
|
|
If NocatAuth is being used, you can skip to the <A
|
|
HREF="setup.html#NOCATGATEWAYSETUP"
|
|
>NoCatAuth gateway setup</A
|
|
> section.
|
|
|
|
</P
|
|
><P
|
|
>
|
|
iptables needs to be installed. To install iptables either use a
|
|
package from your distribution or install from source. Once the
|
|
above options were compiled in the new kernel and iptables was
|
|
installed, I set the following default firewall rules.
|
|
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP
|
|
iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
|
|
iptables -I FORWARD -o eth0 -j DROP
|
|
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> The above commands can also be put in an initscript to start up
|
|
when the server restarts. To make sure the rules have been added
|
|
issue the following commands:
|
|
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> iptables -v -t nat -L
|
|
iptables -v -t filter -L
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> To save these rules I used Red Hat's init scripts.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> /etc/init.d/iptables save
|
|
/etc/init.d/iptables restart
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>
|
|
Now the gateway box will be able to do network address translation
|
|
(NAT), but it will drop all forwarding packets except those coming
|
|
from within the public network and bound for the gateway.
|
|
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="DYNAMICNETFILTER"
|
|
></A
|
|
>3.2. Dynamic Netfilter rules.</H2
|
|
><P
|
|
>
|
|
This section describes how to setup the software needed to
|
|
dynamically insert and remove Netfilter rules on the gateway.
|
|
|
|
</P
|
|
><DIV
|
|
CLASS="SECT3"
|
|
><H3
|
|
CLASS="SECT3"
|
|
><A
|
|
NAME="PAMIPTABLESSETUP"
|
|
></A
|
|
>3.2.1. PAM iptables Module</H3
|
|
><P
|
|
> The PAM session module that inserts the firewall rules is
|
|
needed to allow forwarding for the authenticated client. To set it
|
|
up simply get the <A
|
|
HREF="ftp://ftp.itlab.musc.edu/pub/pam_iptables.tar.gz"
|
|
TARGET="_top"
|
|
>source</A
|
|
>
|
|
and compile it by running the following commands.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> gcc -fPIC -c pam_iptables.c
|
|
ld -x --shared -o pam_iptables.so pam_iptables.o
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> You should now have two binaries called
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>pam_iptables.so</TT
|
|
> and <TT
|
|
CLASS="FILENAME"
|
|
>pam_iptables.o</TT
|
|
>.
|
|
Copy <TT
|
|
CLASS="FILENAME"
|
|
>pam_iptables.so</TT
|
|
> to
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/lib/security/pam_iptables.so</TT
|
|
>.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> cp pam_iptables.so /lib/security/pam_iptables.so
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> Now install the firewall script to /usr/local/auth-gw.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> mkdir /usr/local/auth-gw
|
|
cp insFwall /usr/local/auth-gw
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> The chosen authentication client for the gateway was ssh so we added the
|
|
following line to <TT
|
|
CLASS="FILENAME"
|
|
>/etc/pam.d/sshd</TT
|
|
>.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> session required /lib/security/pam_iptables.so
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> Now, when a user logs in with ssh, the firewall rule will be added.
|
|
</P
|
|
><P
|
|
> To test if the pam_iptables module is working perform the following
|
|
steps:
|
|
</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
>Log into the box with ssh.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Check to see if the rule was added with the command
|
|
<B
|
|
CLASS="COMMAND"
|
|
>iptables -L -v</B
|
|
>.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Log out of the box to make sure the rule is removed.</P
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT3"
|
|
><H3
|
|
CLASS="SECT3"
|
|
><A
|
|
NAME="NOCATGATEWAYSETUP"
|
|
></A
|
|
>3.2.2. NoCatAuth gateway</H3
|
|
><P
|
|
>
|
|
This section describes the process of setting up the NocatAuth
|
|
gateway. To setup NocatAuth get the <A
|
|
HREF="http://nocat.net/download/NoCatAuth/"
|
|
TARGET="_top"
|
|
>source</A
|
|
> and
|
|
install with the following steps.
|
|
|
|
</P
|
|
><P
|
|
>
|
|
Make sure gpgv is installed. gpgv is a PGP signature verifier.
|
|
It is part of gnupg and can be found at <A
|
|
HREF="http://www.gnupg.org/download.html"
|
|
TARGET="_top"
|
|
>http://www.gnupg.org/download.html</A
|
|
>.
|
|
|
|
</P
|
|
><P
|
|
> Unpack the NocatAuth tar file.
|
|
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> tar xvzf NocatAuth-x.xx.tar.gz
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
>
|
|
If you do not want NoCatAuth to be in the directory
|
|
/usr/local/nocat, edit the Makefile and change INST_PATH to the
|
|
directory you would like NoCatAuth to reside.
|
|
|
|
</P
|
|
><P
|
|
> Next build the gateway.
|
|
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> cd NoCatAuth-x.xx
|
|
make gateway
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
>
|
|
Edit the /usr/local/nocat.conf file. Please see the INSTALL
|
|
documentation for details on what is required in the conf
|
|
file. An example conf file looks like the following:
|
|
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>
|
|
###### gateway.conf -- NoCatAuth Gateway Configuration.
|
|
#
|
|
# Format of this file is: Directive Value, one per
|
|
# line. Trailing and leading whitespace is ignored. Any
|
|
# line beginning with a punctuation character is assumed to
|
|
# be a comment.
|
|
|
|
Verbosity 10
|
|
#we are behind a NAT so put the gateway in passive mode
|
|
GatewayMode Passive
|
|
GatewayLog /usr/local/nocat/nocat.log
|
|
LoginTimeout 300
|
|
|
|
######Open Portal settings.
|
|
HomePage http://www.itlab.musc.edu/
|
|
DocumentRoot /usr/local/nocat/htdocs
|
|
SplashForm splash.html
|
|
###### Active/Passive Portal settings.
|
|
TrustedGroups Any
|
|
AuthServiceAddr egon.itlab.musc.edu
|
|
AuthServiceURL https://$AuthServiceAddr/cgi-bin/login
|
|
LogoutURL https://$AuthServiceAddr/forms/logout.html
|
|
###### Other Common Gateway Options.
|
|
AllowedWebHosts egon.itlab.musc.edu
|
|
ResetCmd initialize.fw
|
|
PermitCmd access.fw permit $MAC $IP $Class
|
|
DenyCmd access.fw deny $MAC $IP $Class
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>
|
|
Now you should be able to start the gateway. If any problems
|
|
occur, please see the INSTALL documentation in the unpacked
|
|
NoCatAuth directory. The following command will start the
|
|
gateway:
|
|
|
|
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> /usr/local/nocat/bin/gateway
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="DHCPDSETUP"
|
|
></A
|
|
>3.3. DHCP Server Setup</H2
|
|
><P
|
|
>I installed DHCP using the following
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>dhcpd.conf</TT
|
|
> file.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> subnet 10.0.1.0 netmask 255.255.255.0 {
|
|
# --- default gateway
|
|
option routers 10.0.1.1;
|
|
option subnet-mask 255.255.255.0;
|
|
option broadcast-address 10.0.1.255;
|
|
|
|
option domain-name-servers 10.0.1.1;
|
|
range 10.0.1.3 10.0.1.254;
|
|
option time-offset -5; # Eastern Standard Time
|
|
|
|
default-lease-time 21600;
|
|
max-lease-time 43200;
|
|
|
|
}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> The server was then run using eth1 , the interface to the public
|
|
net.
|
|
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> /usr/sbin/dhcpd eth1
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AUTHENTICATIONSETUP"
|
|
></A
|
|
>3.4. Authentication Method Setup</H2
|
|
><P
|
|
>
|
|
Authentication with PAM and a NoCatAuth authentication service is
|
|
described. Both examples are done with LDAP. Other means of
|
|
authentication besides LDAP can be used. Please read the
|
|
documentation for PAM and NoCatAuth to find the steps to use
|
|
another authentication source.
|
|
|
|
</P
|
|
><DIV
|
|
CLASS="SECT3"
|
|
><H3
|
|
CLASS="SECT3"
|
|
><A
|
|
NAME="PAMLDAP"
|
|
></A
|
|
>3.4.1. PAM LDAP</H3
|
|
><P
|
|
> As indicated in previous sections, I've set this gateway up to use
|
|
LDAP for authenticating. However, you can use any means that PAM
|
|
allows for authentication. See <A
|
|
HREF="services.html#AUTHENTICATION"
|
|
>Section 2.4</A
|
|
> for
|
|
more information.
|
|
|
|
</P
|
|
><P
|
|
>
|
|
In order to get PAM LDAP to authenticate, I installed <A
|
|
HREF="http://www.openldap.org"
|
|
TARGET="_top"
|
|
>OpenLDAP</A
|
|
> and configured it
|
|
with the following in <TT
|
|
CLASS="FILENAME"
|
|
>/etc/ldap.conf</TT
|
|
>.
|
|
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> # Your LDAP server. Must be resolvable without using LDAP.
|
|
host itc.musc.edu
|
|
|
|
# The distinguished name of the search base.
|
|
base dc=musc,dc=edu
|
|
ssl no
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>
|
|
The following files were used to configure PAM to do the LDAP
|
|
authentication. These files were generated by Red Hat's
|
|
configuration utility.
|
|
|
|
</P
|
|
><P
|
|
></P
|
|
><DIV
|
|
CLASS="VARIABLELIST"
|
|
><DL
|
|
><DT
|
|
><TT
|
|
CLASS="FILENAME"
|
|
>/etc/pam.d/system-auth</TT
|
|
> was created and looked
|
|
like this.</DT
|
|
><DD
|
|
><P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> #%PAM-1.0
|
|
# This file is auto-generated.
|
|
# User changes will be destroyed the next time authconfig is run.
|
|
auth required /lib/security/pam_env.so
|
|
auth sufficient /lib/security/pam_unix.so likeauth nullok
|
|
auth sufficient /lib/security/pam_ldap.so use_first_pass
|
|
auth required /lib/security/pam_deny.so
|
|
|
|
account required /lib/security/pam_unix.so
|
|
account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
|
|
|
|
password required /lib/security/pam_cracklib.so retry=3
|
|
password sufficient /lib/security/pam_unix.so nullok use_authtok
|
|
password sufficient /lib/security/pam_ldap.so use_authtok
|
|
password required /lib/security/pam_deny.so
|
|
|
|
session required /lib/security/pam_limits.so
|
|
session required /lib/security/pam_unix.so
|
|
session optional /lib/security/pam_ldap.so
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DD
|
|
><DT
|
|
>Then the following
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/pam.d/sshd</TT
|
|
> file was created.</DT
|
|
><DD
|
|
><P
|
|
> <TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> #%PAM-1.0
|
|
auth required /lib/security/pam_stack.so service=system-auth
|
|
auth required /lib/security/pam_nologin.so
|
|
account required /lib/security/pam_stack.so service=system-auth
|
|
password required /lib/security/pam_stack.so service=system-auth
|
|
session required /lib/security/pam_stack.so service=system-auth
|
|
#this line is added for firewall rule insertion upon login
|
|
session required /lib/security/pam_iptables.so debug
|
|
session optional /lib/security/pam_console.so
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DD
|
|
></DL
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT3"
|
|
><H3
|
|
CLASS="SECT3"
|
|
><A
|
|
NAME="NOCATAUTHSERVICE"
|
|
></A
|
|
>3.4.2. NoCatAuth Service</H3
|
|
><P
|
|
>
|
|
It is recommended to install the NoCatAuth Service on another
|
|
server besides the gateway. A seperate server was used in my
|
|
examples. In order to setup a NoCatAuth Service, you will need
|
|
the following software:
|
|
|
|
</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
>
|
|
An SSL enabled webserver, preferably with a registered SSL cert.
|
|
I used Apache + mod_ssl.
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Perl 5 (5.6 or better recommended)
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>
|
|
Net::LDAP, Digest::MD5, DBI, and DBD::MySQL perl modules (get them
|
|
from CPAN) The module you need depends on what authentication
|
|
source you are going to use. In my example Net::LDAP is used as
|
|
the authentication means.
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Gnu Privacy Guard (gnupg 1.0.6 or better), available at
|
|
http://www.gnupg.org/download.html
|
|
</P
|
|
></LI
|
|
></OL
|
|
><P
|
|
> To install unpack the tar file.
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> $ tar zvxf NoCatAuth-x.xx.tar.gz
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> If you would like to change the path that NoCatAuth resides , edit the
|
|
Makefile and change INST_PATH to the desired directory.
|
|
</P
|
|
><P
|
|
> Next run the command:
|
|
<B
|
|
CLASS="COMMAND"
|
|
> make authserv </B
|
|
>
|
|
This installs everything in /usr/local/nocat or what you changed INST_PATH
|
|
to.
|
|
</P
|
|
><P
|
|
> Then run <B
|
|
CLASS="COMMAND"
|
|
> make pgpkey </B
|
|
>
|
|
The defaults should be fine for most purposes.
|
|
IMPORTANT: do NOT enter a passphrase! Otherwise, you will get strange
|
|
messages when the auth service attempts to encrypt messages, and tries to
|
|
read your passphrase from a non-existent tty
|
|
</P
|
|
><P
|
|
> Edit /usr/local/nocat/nocat.conf to fit your situation.
|
|
Here is an example:
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> ###### authserv.conf -- NoCatAuth Authentication Service Configuration.
|
|
#
|
|
# Format of this file is: Directive Value, one per
|
|
# line. Trailing and leading whitespace is ignored. Any
|
|
# line beginning with a punctuation character is assumed to
|
|
# be a comment.
|
|
|
|
Verbosity 10
|
|
HomePage http://www.itlab.musc.edu/
|
|
DocumentRoot /usr/local/nocat/htdocs
|
|
# LDAP source
|
|
DataSource LDAP
|
|
LDAPHost authldap.musc.edu
|
|
LDAPBase dc=musc,dc=edu
|
|
|
|
UserTable Member
|
|
UserIDField User
|
|
UserPasswdField Pass
|
|
UserAuthField Status
|
|
UserStampField Created
|
|
|
|
GroupTable Network
|
|
GroupIDField Network
|
|
GroupAdminField Admin
|
|
MinPasswdLength 8
|
|
|
|
# LocalGateway -- If you run auth service on the same subnet
|
|
# (or host) as the gateway you need to specify the hostname
|
|
# of the gateway. Otherwise omit it. (Requires Net::Netmask)
|
|
#
|
|
# LocalGateway 192.168.1.7
|
|
|
|
LoginForm login.html
|
|
LoginOKForm login_ok.html
|
|
FatalForm fatal.html
|
|
ExpiredForm expired.html
|
|
RenewForm renew.html
|
|
PassiveRenewForm renew_pasv.html
|
|
RegisterForm register.html
|
|
RegisterOKForm register_ok.html
|
|
RegisterFields Name URL Description
|
|
|
|
UpdateForm update.html
|
|
UpdateFields URL Description
|
|
|
|
###### Auth service user messages. Should be self-explanatory.
|
|
#
|
|
LoginGreeting Greetings! Welcome to the Medical University of SC's Network.
|
|
LoginMissing Please fill in all fields!
|
|
LoginBadUser That e-mail address is unknown. Please try again.
|
|
LoginBadPass That e-mail and password do not match. Please try again.
|
|
LoginBadStatus Sorry, you are not a registered co-op member.
|
|
|
|
RegisterGreeting Welcome! Please enter the following information to register.RegisterMissing Name, E-mail, and password fields must be filled in.
|
|
RegisterUserExists Sorry, that e-mail address is already taken. Are you already registered?
|
|
RegisterBadUser The e-mail address provided appears to be invalid. Did you spell it correctly?
|
|
RegisterInvalidPass All passwords must be at least six characters long.
|
|
RegisterPassNoMatch The passwords you provided do not match. Please try again.
|
|
RegisterSuccess Congratulations, you have successfully registered.
|
|
|
|
UpdateGreeting Enter your E-mail and password to update your info.
|
|
UpdateBadUser That e-mail address is unknown. Please try again.
|
|
UpdateBadPass That e-mail and password do not match. Please try again.
|
|
UpdateInvalidPass New passwords must be at least eight characters long.
|
|
UpdatePassNoMatch The new passwords you provided do not match. Please try again.
|
|
UpdateSuccess Congratulations, you have successfully updated your account.
|
|
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Make sure /usr/local/nocat/pgp is owned by the web server user. (ie..nobody or www-data)
|
|
</P
|
|
><P
|
|
> Add etc/authserv.conf to your apache httpd.conf file.
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> Include /usr/local/nocat/etc/authserv.conf </PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Copy your /usr/local/nocat/trustedkeys.pgp to the gateway.
|
|
Restart apache and try it out. Please see the NoCatAuth
|
|
documentation for more information. It can be found in docs/ in
|
|
the unpacked NoCatAuth directory.
|
|
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="DNSSETUP"
|
|
></A
|
|
>3.5. DNS Setup</H2
|
|
><P
|
|
> I installed the default version of Bind that comes with Red Hat
|
|
7.1, and the caching-nameserver RPM. The DHCP server tells the
|
|
machines on the public net to use the gateway box as their
|
|
nameserver.
|
|
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="services.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="usage.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>What is needed</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Using the authentication gateway</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |